[keystone] scope enforcement ready for prime time?

Mark Goddard mark at stackhpc.com
Wed May 6 21:17:54 UTC 2020


Hi,

I have a use case which I think could be fulfilled by scoped tokens:

Allow an operator to delegate the ability to an actor to create users
within a domain, without giving them the keys to the cloud.

To do this, I understand I can assign a user the admin role for a domain.
It seems that for this to work, I need to set [oslo_policy] enforce_scope =
True in keystone.conf.

The Train cycle highlights suggest this is now fully implemented in
keystone, but other most projects lack support for scopes. Does this mean
that in the above case, the user would have full cloud admin privileges in
other services that lack support for scopes? i.e. while I expect it's safe
to enable scope enforcement in keystone, is it "safe" to use it?

Cheers,
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200506/63a55789/attachment.html>


More information about the openstack-discuss mailing list